AH headers would be an issue. In theory, they have been deprecated, but they are still widely supported.
From: Int-area <int-area-boun...@ietf.org> On Behalf Of waldemar Sent: Tuesday, March 28, 2023 9:45 AM To: int-area@ietf.org Subject: [EXTERNAL] [Int-area] draft-augustyn-intarea-ipref: security [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] I'd like to follow up on a question that a gentleman asked me during the presentation. That exchange got a little out of hand with a discussion about what is 'scary' but there were valid points. The gentleman brought up IPSEC with what sounded to me like a suggestion that maybe IPREF is trying to provide a similar service to IPSEC except without security. First off, I need to make it clear that IPREF does not provide encryption. IPREF is an add-on to existing network protocols. It enhances a network protocols addressing capability. It relies on the underlying protocol for everything else such as routing but also header/packet integrity checks, etc. It does not lessen any existing security measures. If anything it provides some improvement in that it allows the peers to keep their real local IP addresses unknown. It also allows to keep local protocol domains unknown. Both are represented by a reference which is an opaque value allocated solely at the discretion of the local admins. IPSEC is orthogonal to IPREF. Missions are different. IPREF with IPv4 and IPv6 carries payload in clear because the respective protocols carry it in clear. IPSEC is one way to secure it through encryption. There is no conflict. Another way is TLS, also without a conflict. I know TLS and SSH work with IPREF because I tested both. I haven't tried IPSEC. One possible issue might be address rewriting and its effect on IPSEC. But IPSEC is known to work over NAT which rewrites addresses similarly to IPREF. So there is a good chance it will work with IPREF as well. There may also be a little bit of layer positioning. Is IPSEC a different protocol than IPv4 or IPv6? It is not. Like IPREF, it is an add-on that enhances both of them. So the question may be if those add-ons interfere with one another. Since both add-ons have different, orthogonal missions, I don't see a problem in general terms. In details it is important to understand how they would work with one another. One would think, since IPSEC has no choice but to let addresses go in clear and be rewritten, then references being a representation of addresses should also go in clear and be allowed to be rewritten, in particular added/dropped. _______________________________________________ Int-area mailing list Int-area@ietf.org<mailto:Int-area@ietf.org> https://www.ietf.org/mailman/listinfo/int-area<https://www.ietf.org/mailman/listinfo/int-area>
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
